67
The AAA authorization feature enables IKEv2 to request authorization attributes, such as the
IKEv2 address pool, from AAA. IKEv2 uses the address pool to assign IP addresses to remote
users. For more information about AAA authorization, see "Configuring AAA."
To configure an IKEv2 profile:
13. Enter system view.
system-view
N/A
14. Create an IKEv2 profile
and enter IKEv2 profile
view.
ikev2 profile
profile-name
By default, no IKEv2 profiles exist.
15. Configure the local and
remote identity
authentication methods.
authentication-method
{
local
|
remote
} {
dsa-signature
|
ecdsa-signature
|
pre-share
|
rsa-signature
}
By default, no local or remote identity
authentication method is configured.
16. Specify a keychain.
keychain
keychain-name
By default, no keychain is specified
for an IKEv2 profile.
Perform this task when the
pre-shared key authentication
method is specified.
17. Specify a PKI domain.
certificate domain
domain-name
[
sign
|
verify
]
By default, the device uses PKI
domains configured in system view.
Perform this task when the digital
signature authentication method is
specified.
18. Configure the local ID.
identity local
{
address
{ ipv4-address |
ipv6
ipv6-address }
|
dn
|
email
email-string |
fqdn
fqdn-name |
key-id
key-id-string }
By default, no local ID is configured,
and the device uses the IP address
of the interface where the IPsec
policy applies as the local ID.
19. Configure peer IDs.
match remote
{
certificate
policy-name |
identity
{
address
{ { ipv4-address [ mask |
mask-length ] |
range
low-ipv4-address
high-ipv4-address } |
ipv6
{ ipv6-address [ prefix-length ] |
range
low-ipv6-address
high-ipv6-address } } |
fqdn
fqdn-name |
email
email-string |
key-id-string } }
By default, no peer ID is configured.
You must configure a minimum of
one peer ID on each of the two peers.
20. (Optional.) Specify the
local interface or IP
address to which the
IKEv2 profile can be
applied.
match local address
{ interface-type interface-number |
{ ipv4-address |
ipv6
ipv6-address
} }
By default, an IKEv2 profile can be
applied to any local interface or IP
address.
21. (Optional.) Specify a
priority for the IKEv2
profile.
priority
priority
By default, the priority of an IKEv2
profile is 100.
22. (Optional.) Specify a
VPN instance for the
IKEv2 profile.
match vrf
{
name
vrf-name |
any
}
By default, an IKEv2 profile belongs
to the public network.
23. (Optional.) Set the
IKEv2 SA lifetime for the
IKEv2 profile.
sa duration
seconds
By default, the IKEv2 SA lifetime is
86400 seconds.
To Next Page
Loading...
